iOS Critical vulnerability in Configuration Profiles pose Malware

Skycure The Israeli mobile security start-up  has exposed a vulnerability with that  hackers can control and spy on iPhones. This is a major security vulnerability for configuration profiles of iOS  pose malware threat.

Files known as mobileconf files are affected by this vulnerability, this files are used for cell phone configure system-level settings  . Files can include Wi-Fi, VPN, email, and APN settings. Apple used to use them to deliver patches, and carriers sometimes use them to distribute updates.

Adi Sharabani, CEO and co-founder of Skycure, made a demonstration that how sensitive information, including the victim’s exact location, could be retrieved, while also controlling the user’s iPhone.

 In Demo, They setup a fake website with a prompt to install a configuration profile and sent the link out to Victim. After installing it, he found out they were able to pull passwords and other data without his knowledge.

These malicious profiles can be emailed or downloaded from Web pages and after being installed, and attacker able to change a large number of iPhone settings.

If used maliciously, these profiles can be very dangerous. Even though their use is approved by Apple, they aren't subject to the standard sandboxing rules that apply to third party App Store apps and websites.

Other than an attack on privacy, this could lead to more dangerous consequences as an example, it is quite easy to change a GPS destination while driving and send the smartphone owner to a location the attacker chooses.